Challenges in enhancing enterprise resource planning systems for compliance with Sarbanes‐Oxley Act and analogous Canadian legislation

Abstract

Purpose – This paper aims to examine major challenges faced by companies in enhancing their enterprise resource planning (ERP) systems for compliance with regulatory internal control requirements, specifically those imposed by the Sarbanes–Oxley Act (SOX) of 2002 and analogous Canadian legislation. Design/methodology/approach – Data were collected through case studies of four medium-sized and large companies that use ERP systems and that have operations in the USA and Canada, thus being subject to SOX and/or similar Canadian regulations. Findings – The companies faced some technical, process and cultural challenges in implementing regulatory control compliance. In all companies, existing ERP systems were not able to meet all control requirements without some modifications or add-on applications. Control implementations have been long, complicated and costly processes, which are not fully completed. Detailed analyses and documentation of existing systems, controls and processes were required in all companies. The protection of systems security and the segregation of duties were perceived to be major technical obstacles. Cultural factors resulted in additional challenges, notably resistance to change. Research limitations/implications – The findings of this study enhance the understanding of ERP systems design features, processes and challenges in implementing regulatory controls. As such, they provide a foundation for further empirical studies and for building models of ERP systems effectiveness in implementing effective controls. Practical implications – The study provides managers insight into challenges in enhancing ERP systems for regulatory control compliance. Lessons learned can contribute to the development and sharing of best practices and to overall organizational effectiveness. Originality/value – Using an interdisciplinary approach, the study provides new evidence on the extent to which ERP systems meet regulatory internal control requirements.